Bug 168907 - media-gfx/blender KML/KMZ Import Command Injection Vulnerability
Bug#: 168907 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: keith@email.arizona.edu
Component: Vulnerabilities
URL:  http://secunia.com/advisories/24232/
Summary: media-gfx/blender KML/KMZ Import Command Injection Vulnerability
Keywords:  
Status Whiteboard: B2 [glsa] Executioner
Opened: 2007-03-01 17:01 0000
Description:   Opened: 2007-03-01 17:01 0000 
Secunia Research has discovered a vulnerability in Blender, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the insecure use of the "eval()" function in
kmz_ImportWithMesh.py. This can be exploited to execute arbitrary Python
commands by tricking a user into importing a specially crafted "*.kml" or
"*.kmz" file.

The vulnerability is confirmed in version 2.42a. Prior versions may also be
affected.

Solution:
Update to version 2.43, which no longer includes the affected script.


Reproducible: Didn't try




http://secunia.com/advisories/24232/

------- Comment #1 From Jakub Moc (RETIRED) 2007-03-01 17:10:11 0000 ------- 
(In reply to comment #0)
> Solution:
> Update to version 2.43, which no longer includes the affected script.

blender-2.43 is broken (see Bug 167694); not really a solution.

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-03-25 07:25:52 0000 ------- 
graphics any news on this one?

------- Comment #3 From Raphael Marichez 2007-04-09 18:47:59 0000 ------- 
graphics team please advise. If it's such a mess, then we'll have to mask it.
It's  about code injection, it's serious.

------- Comment #4 From Luca Barbato 2007-04-09 18:52:39 0000 ------- 
I'm adding right now blender, people with amd64 please check it...

(give me 1h to reshape the ebuild...)

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-04-11 10:00:18 0000 ------- 
Luca, any news on this one?

------- Comment #6 From Luca Barbato 2007-04-11 10:58:18 0000 ------- 
I still need somebody with amd64 to test the ebuild. the ebuild is in portage
but masked because of that.

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-04-11 11:20:33 0000 ------- 
Ahh no update to Changelog.

Maybe just call amd64 to test?

------- Comment #8 From Luca Barbato 2007-04-11 11:59:34 0000 ------- 
Should do. amd64 team please test blender-2.43

------- Comment #9 From Peter Weller 2007-04-12 07:57:32 0000 ------- 
Tested on amd64 and removed from package.mask

------- Comment #10 From Luca Barbato 2007-04-12 08:13:49 0000 ------- 
I guess we could ask for stabilization then ^^

------- Comment #11 From Sune Kloppenborg Jeppesen 2007-04-12 09:18:39 0000 ------- 
Thx.

Arches please test and mark stable. Target keywords are:
blender-2.43.ebuild:KEYWORDS="amd64 ppc ppc64 ~sparc x86"

------- Comment #12 From Peter Weller 2007-04-12 10:28:34 0000 ------- 
amd64 stable

------- Comment #13 From Raúl Porcel 2007-04-12 11:42:41 0000 ------- 
x86 stable

------- Comment #14 From Markus Rothe 2007-04-15 18:38:18 0000 ------- 
ppc64 stable

------- Comment #15 From Tobias Scherbaum 2007-04-17 17:25:02 0000 ------- 
ppc stable

------- Comment #16 From Sune Kloppenborg Jeppesen 2007-05-02 12:06:52 0000 ------- 
GLSA 200704-19